By adding the "needClientAuth=true" attribute to the bamboo.jms.broker.uri, client certificates are required by the Bamboo server. However, there seems to be no simple way of setting the activemq SSLContext such that a trustStore can be selected for the broker communication only.

The activemq library used does indeed have the possibility of setting a SSLContext for the broker communication, and one can thereby set the keyStore, trustStore, trustStorePassword, etc, only for the broker, without affecting other communication. Setting the javax.net.ssl.trustStore on the VM is not a good idea, as it will invalidate the general https-traffic from the Bamboo server to e.g. atlassian (for updates/plugins, etc).

Adding the possibility to set e.g. bamboo.jms.broker.ssl.keyStore, etc., would greatly enhance security by adding the possibility to limit connection only to build agents that hold a trusted certificate.